1 查询操作
@Test
public void testSelect() {
Connection conn = null;
Statement statement = null;
ResultSet rs = null;
try {
//1 加载数据库驱动
Class.forName("com.mysql.jdbc.Driver");
//2 创建数据库连接
//第一个参数 url:数据库地址 jdbc:mysql://数据库ip:端口号/数据库名称
/// 如果连接数据库是本地数据库,并且端口号是3306 简写 jdbc:mysql:///db2
//第二个参数 user:用户名
//第三参数 password:密码
conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/db2","root","root");
//3 编写sql语句,创建Statement,执行sql语句
String sql = "select did,dname from dept";
//创建Statement
statement = conn.createStatement();
//statement执行sql语句
rs = statement.executeQuery(sql);
//4 查询返回结果集,遍历显示内容
while(rs.next()) {
// int did = rs.getInt("did");
String did = rs.getString("did");
String dname = rs.getString("dname");
System.out.println("did: "+did);
System.out.println("dname: "+dname);
}
} catch (Exception e) {
e.printStackTrace();
} finally {
//关闭资源
try {
rs.close();
statement.close();
conn.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
添加操作
//2 添加操作
@Test
public void testInsert() {
Connection connection = null;
Statement statement = null;
try {
//1 加载驱动
Class.forName("com.mysql.jdbc.Driver");
//2 创建数据库连接
connection = DriverManager.getConnection("jdbc:mysql:///db2", "root", "root");
//3 编写sql语句,创建statement对象执行sql语句
String sql = "insert into dept values(4,'外交部')";
statement = connection.createStatement();
//执行 executeUpdate方法进行添加操作,返回影响行数
int row = statement.executeUpdate(sql);
System.out.println(row);
}catch (Exception e) {
}finally {
//4 关闭资源
try {
statement.close();
connection.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
@Test
public void testDelete() {
Connection connection = null;
Statement statement = null;
try {
//1 加载驱动
Class.forName("com.mysql.jdbc.Driver");
//2 创建数据库连接
connection = DriverManager.getConnection("jdbc:mysql:///db2", "root", "root");
//3 编写修改语句,创建statement对象执行修改语句
String sql = "delete from dept where did=4";
statement = connection.createStatement();
int row = statement.executeUpdate(sql);
System.out.println(row);
}catch (Exception e) {
}finally {
//4 关闭资源
try {
statement.close();
connection.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
@Test
public void testUpdate() {
Connection connection = null;
Statement statement = null;
try {
//1 加载驱动
Class.forName("com.mysql.jdbc.Driver");
//2 创建数据库连接
connection = DriverManager.getConnection("jdbc:mysql:///db2", "root", "root");
//3 编写修改语句,创建statement对象执行修改语句
String sql = "update dept set dname='对外交流部' where did=4";
statement = connection.createStatement();
int row = statement.executeUpdate(sql);
System.out.println(row);
}catch (Exception e) {
}finally {
//4 关闭资源
try {
statement.close();
connection.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
SQL 注入是利用某些系统没有对用户输入的数据进行充分的检查,而在用户输入数据中注入非法的 SQL 语句段或命令,从而利用系统的 SQL 引擎完成恶意行为的做法。对于 Java 而言,要防范 SQL 注入,只要用 PreparedStatement 取代 Statement 就可以了。
/**
* 演示sql注入问题
*/
public class JDBCDemo3 {
public static void main(String[] args) {
login("mary' or '1'='1","666");
}
//模拟登录的方法
public static void login(String username,String password) {
Connection conn = null;
Statement statement = null;
ResultSet rs = null;
try {
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection("jdbc:mysql:///db2", "root", "root");
// select * from users where username='mary' or '1'='1' and password='666'
// mary' or '1'='1
String sql = "select * from users where username='"+username+"' and password='"+password+"'";
System.out.println(sql);
statement = conn.createStatement();
rs = statement.executeQuery(sql);
while(rs.next()) {
String usernameValue = rs.getString("username");
String passwordValue = rs.getString("password");
System.out.println(usernameValue+"::"+passwordValue);
}
} catch (Exception e) {
e.printStackTrace();
} finally {
try {
rs.close();
statement.close();
conn.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
}
利用satatement写SQL与语句拼接时,要注意拼接的SQL语句变量要写成这样格式:" +dname+"
否则就会报这样的错误:
因为这时拼接的语句是这样的:
select * from dept where dname= 安保部
显然这样的SQL语句查询的条件少了双引号
@Test
public void test01() {
Connection conn = null;
Statement statement = null;
ResultSet rs = null;
try {
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection("jdbc:mysql:///db2", "root", "root");
String dname = "安保部";
// 要这样写 “+ +”
String sql1 = "select * from dept where dname='安保部'";
String sql = "select * from dept where dname='"+dname+"'";
System.out.println(sql);
statement = conn.createStatement();
rs = statement.executeQuery(sql);
while(rs.next()) {
String did = rs.getString("did");
String dnameValue = rs.getString("dname");
System.out.println(did+"::"+dnameValue);
}
} catch (Exception e) {
e.printStackTrace();
} finally {
try {rs.close();
statement.close();
conn.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
//预编译模拟登录的方法
public static void loginPrepared(String username,String password) {
Connection conn = null;
PreparedStatement preparedStatement = null;
ResultSet rs = null;
try {
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection("jdbc:mysql:///db2", "root", "root");
//预编译对象使用过程
// 使用?代表占位符,需要输入参数
String sql = "select * from users where username=? and password=?";
// 创建预编译对象
preparedStatement = conn.prepareStatement(sql);
// 设置占位符需要值
// setString两个参数:第一个参数?位置,第二个参数?对应值
preparedStatement.setString(1,username);
preparedStatement.setString(2,password);
//执行sql语句
rs = preparedStatement.executeQuery();
while(rs.next()) {
String usernameValue = rs.getString("username");
String passwordValue = rs.getString("password");
System.out.println(usernameValue+"::"+passwordValue);
}
} catch (Exception e) {
e.printStackTrace();
} finally {
try {
rs.close();
preparedStatement.close();
conn.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
public void test04() {
Connection conn = null;
PreparedStatement preparedStatement = null;
try {
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection("jdbc:mysql:///db2", "root", "root");
String sql = "delete from dept where did=?";
//创建预编译对象
preparedStatement = conn.prepareStatement(sql);
//设置值
preparedStatement.setInt(1,100);
//执行sql
int row = preparedStatement.executeUpdate();
System.out.println(row);
} catch (Exception e) {
e.printStackTrace();
} finally {
try {
preparedStatement.close();
conn.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
public void test03() {
Connection conn = null;
PreparedStatement preparedStatement = null;
try {
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection("jdbc:mysql:///db2", "root", "root");
String sql = "update dept set dname=? where did=?";
//创建预编译对象
preparedStatement = conn.prepareStatement(sql);
//设置值
preparedStatement.setString(1,"行政部");
preparedStatement.setInt(2,100);
//执行sql
int row = preparedStatement.executeUpdate();
System.out.println(row);
} catch (Exception e) {
e.printStackTrace();
} finally {
try {
preparedStatement.close();
conn.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
public void test02() {
Connection conn = null;
PreparedStatement preparedStatement = null;
try {
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection("jdbc:mysql:///db2", "root", "root");
String sql = "insert into dept values(?,?)";
//创建预编译对象
preparedStatement = conn.prepareStatement(sql);
//设置值
preparedStatement.setInt(1,100);
preparedStatement.setString(2,"互动部");
//执行sql
int row = preparedStatement.executeUpdate();
System.out.println(row);
} catch (Exception e) {
e.printStackTrace();
} finally {
try {
preparedStatement.close();
conn.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
//预编译模拟登录的方法
public static void loginPrepared(String username,String password) {
Connection conn = null;
PreparedStatement preparedStatement = null;
ResultSet rs = null;
try {
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection("jdbc:mysql:///db2", "root", "root");
//预编译对象使用过程
// 使用?代表占位符,需要输入参数
String sql = "select * from users where username=? and password=?";
// 创建预编译对象
preparedStatement = conn.prepareStatement(sql);
// 设置占位符需要值
// setString两个参数:第一个参数?位置,第二个参数?对应值
preparedStatement.setString(1,username);
preparedStatement.setString(2,password);
//执行sql语句
rs = preparedStatement.executeQuery();
while(rs.next()) {
String usernameValue = rs.getString("username");
String passwordValue = rs.getString("password");
System.out.println(usernameValue+"::"+passwordValue);
}
} catch (Exception e) {
e.printStackTrace();
} finally {
try {
rs.close();
preparedStatement.close();
conn.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
//删除
@Test
public void test04() {
Connection conn = null;
PreparedStatement preparedStatement = null;
try {
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection("jdbc:mysql:///db2", "root", "root");
String sql = "delete from dept where did=?";
//创建预编译对象
preparedStatement = conn.prepareStatement(sql);
//设置值
preparedStatement.setInt(1,100);
//执行sql
int row = preparedStatement.executeUpdate();
System.out.println(row);
} catch (Exception e) {
e.printStackTrace();
} finally {
try {
preparedStatement.close();
conn.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
//修改
@Test
public void test03() {
Connection conn = null;
PreparedStatement preparedStatement = null;
try {
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection("jdbc:mysql:///db2", "root", "root");
String sql = "update dept set dname=? where did=?";
//创建预编译对象
preparedStatement = conn.prepareStatement(sql);
//设置值
preparedStatement.setString(1,"行政部");
preparedStatement.setInt(2,100);
//执行sql
int row = preparedStatement.executeUpdate();
System.out.println(row);
} catch (Exception e) {
e.printStackTrace();
} finally {
try {
preparedStatement.close();
conn.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
//添加
@Test
public void test02() {
Connection conn = null;
PreparedStatement preparedStatement = null;
try {
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection("jdbc:mysql:///db2", "root", "root");
String sql = "insert into dept values(?,?)";
//创建预编译对象
preparedStatement = conn.prepareStatement(sql);
//设置值
preparedStatement.setInt(1,100);
preparedStatement.setString(2,"互动部");
//执行sql
int row = preparedStatement.executeUpdate();
System.out.println(row);
} catch (Exception e) {
e.printStackTrace();
} finally {
try {
preparedStatement.close();
conn.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}